agentgateway: drop unsupported frontend TLS annotations

Ingress NGINX does not document the frontend TLS listener knobs\nthat PR #96 treated as per-Ingress annotations. Related upstream TLS\ncontrols exist, but they do not map cleanly to agentgateway's\nfrontend.tls handshake timeout or ALPN fields.\n\nRemove the unsupported provider and emitter mapping, delete the\nrelated fixtures and tests, and update the ingress-nginx and\nagentgateway docs to reflect that these frontend TLS settings are not\ncurrently projected from ingress-nginx inputs.\n\nRefs #59

Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>

Author: danehans

pkg/i2gw/emitter_intermediate/intermediate_representation.go

@@ -161,12 +161,6 @@ type BackendTLSPolicy struct {
 	Hostname   string
 }
 
-// FrontendTLSPolicy defines frontend TLS listener policy extracted from annotations.
-type FrontendTLSPolicy struct {
-	HandshakeTimeout *metav1.Duration
-	ALPNProtocols    []string
-}
-
 // Policy describes per-Ingress policy knobs projected by providers.
 type Policy struct {
 	ClientBodyBufferSize *resource.Quantity
@@ -182,7 +176,6 @@ type Policy struct {
 	SessionAffinity      *SessionAffinityPolicy
 	LoadBalancing        *BackendLoadBalancingPolicy
 	BackendTLS           *BackendTLSPolicy
-	FrontendTLS          *FrontendTLSPolicy
 	BackendProtocol      *BackendProtocol
 	SSLRedirect          *bool
 	RewriteTarget        *string

pkg/i2gw/emitters/agentgateway/README.md

@@ -287,25 +287,12 @@ These are mapped into an `AgentgatewayPolicy` using agentgateway’s `Traffic.Ti
 
 #### Frontend TLS Settings
 
-The agentgateway emitter supports projecting frontend TLS listener settings via:
-
-- `nginx.ingress.kubernetes.io/ssl-handshake-timeout`
-- `nginx.ingress.kubernetes.io/ssl-alpn`
-
-These are mapped into an `AgentgatewayPolicy` using agentgateway's `Frontend.TLS` model:
-
-- `ssl-handshake-timeout` -> `AgentgatewayPolicy.spec.frontend.tls.handshakeTimeout`
-- `ssl-alpn` -> `AgentgatewayPolicy.spec.frontend.tls.alpnProtocols`
+Ingress NGINX does not document per-Ingress annotations for the downstream TLS handshake timeout or ALPN protocol
+settings exposed by `AgentgatewayPolicy.spec.frontend.tls`.
 
 **Notes:**
 
-- Agentgateway validates `spec.frontend` only on `Gateway` targets, so ingress2gateway emits a single
-  Gateway-targeted policy named `<gateway>-frontend-tls`.
-- If multiple source Ingresses on the same Gateway request different frontend TLS settings, the emitter returns an
-  error because agentgateway cannot scope these settings to an individual HTTPRoute or listener.
-- `ssl-handshake-timeout` accepts either Go-style durations (`20s`, `1m`) or bare seconds (`20`) and must be at least `100ms`.
-- `ssl-alpn` is parsed as a comma-separated list and de-duplicated while preserving order.
-- If only `ssl-alpn` is set, the provider projects a default `15s` handshake timeout so `spec.frontend.tls` remains valid.
+- ingress2gateway does not currently emit additional `frontend.tls` settings for ingress-nginx inputs.
 
 #### Local Rate Limiting
 

pkg/i2gw/emitters/agentgateway/emitter.go

@@ -65,11 +65,6 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 	// Track AgentgatewayPolicies per ingress name
 	agentgatewayPolicies := map[string]*agentgatewayv1alpha1.AgentgatewayPolicy{}
 
-	// Track Gateway-scoped frontend TLS policies. Agentgateway validates
-	// spec.frontend only when the policy targets the Gateway directly.
-	gatewayFrontendTLSPolicies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
-	gatewayFrontendTLSPolicySources := map[types.NamespacedName]string{}
-
 	// Track backend-scoped AgentgatewayPolicies per Service (ns/name) (e.g. TLS, connect timeout)
 	backendPolicies := map[types.NamespacedName]*agentgatewayv1alpha1.AgentgatewayPolicy{}
 
@@ -117,18 +112,6 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 				touched = true
 			}
 
-			// Frontend TLS settings are Gateway-scoped in agentgateway.
-			if _, frontendTLSErr := applyFrontendTLSPolicy(
-				pol,
-				polSourceIngressName,
-				httpRouteContext.HTTPRoute,
-				httpRouteKey.Namespace,
-				gatewayFrontendTLSPolicies,
-				gatewayFrontendTLSPolicySources,
-			); frontendTLSErr != nil {
-				errs = append(errs, frontendTLSErr)
-			}
-
 			// Check if SSL redirect is enabled but don't apply it yet (will split route later).
 			if applySSLRedirectPolicy(pol) {
 				routesToSplitForSSLRedirect[httpRouteKey] = true
@@ -355,11 +338,6 @@ func (e *Emitter) Emit(ir emitterir.EmitterIR) (i2gw.GatewayResources, field.Err
 		}
 	}
 
-	// Collect Gateway-scoped frontend TLS policies.
-	for _, ap := range gatewayFrontendTLSPolicies {
-		agentgatewayObjs = append(agentgatewayObjs, ap)
-	}
-
 	// Collect AgentgatewayPolicies
 	for _, ap := range agentgatewayPolicies {
 		agentgatewayObjs = append(agentgatewayObjs, ap)

pkg/i2gw/emitters/agentgateway/emitter_integration_test.go

@@ -311,32 +311,6 @@ func TestAgentgatewayIngressNginxIntegration_Timeouts(t *testing.T) {
 	}
 }
 
-func TestAgentgatewayIngressNginxIntegration_FrontendTLS(t *testing.T) {
-	t.Helper()
-
-	tests := []struct {
-		name      string
-		inputRel  string
-		goldenRel string
-	}{
-		{
-			name: "frontend_tls",
-			inputRel: filepath.Join(
-				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "input", "frontend_tls.yaml",
-			),
-			goldenRel: filepath.Join(
-				"pkg", "i2gw", "emitters", "agentgateway", "testing", "testdata", "output", "frontend_tls.yaml",
-			),
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			runGoldenTest(t, tt.inputRel, tt.goldenRel)
-		})
-	}
-}
-
 func TestAgentgatewayIngressNginxIntegration_CORS(t *testing.T) {
 	t.Helper()